More problems emerge on the Community Health Systems network

More details have emerged concerning the state of security on Community Health System’s (CHS) network. Research from Lookingglass, a security intelligence firm based in Arlington, Virginia, shows a pattern of un-patched systems and inadequate vulnerability management.

On Monday, CHS disclosed a data breach in an 8-K filing with the U.S. Securities and Exchange Commission.

In it, the company said that in April and June of 2014, attackers believed to be from China (a determination made by Mandiant after CHS hired them to do clean-up), compromised 4.5 million records.

The records contained information related to people who had been referred to or received services from CHS over the last five years. The compromised records included valuable personal data such as names, addresses, birth dates, phone numbers, and Social Security Numbers.

Twenty-four hours later, word spread that the source of the CHS breach was a vulnerable Juniper device.

The device wasn’t patched against a flaw in OpenSSL, commonly known as Heartbleed. The attackers exploited this issue to gain access to VPN credentials, and used them to traverse the CHS network. Since this news has emerged, CHS has made no statements on the matter.

The breach was bad enough, but new information shows that the problem is much larger than a vulnerable Juniper device.

CHS operates a network that includes more than 200 hospitals in 29 states. Using their own platform, Lookingglass checked the autonomous system number (ASN) and a number of CIDRs used by CHS. The data gave them a look at the current and historical indicators of compromise on the network, and what they found was a bit troubling, but at the same time, unsurprising.

“We immediately found 12,500 Internet Protocol (IP) addresses associated with CHS of which ten (10) are linked with various bots and blacklists,” the report explained.

Among the infections discovered were Asprox, Kelihos, Conficker, Ramdo, Sality, and Zeus (GameOver).

“These bots are known for performing SQL injections, phishing scams, spamming, Bitcoin theft, data exfiltration, proxy services, click fraud and banking credential theft… In every case, multiple threat indicators are associated with each individual questionable IP. That suggests the IPs are gateways or proxies with multiple hosts behind them.”

The highlight issue however, is that CHS has active Conficker infections.

The Worm was discovered in 2008, and a patch from Microsoft related to the key infection vector was made available soon after. When the other malware and the initial reports of the data breach are considered, it points to a painful conclusion.

“These infections are a strong indicator that systems have gone un-patched for years – a common theme in the healthcare industry,” the Lookingglass report added.

“Lookingglass has observed these IPs showing infections as early as January 2014 and as recent as today. If an advance nation-state penetrated this network, they probably didn’t have to work very hard to gain a foothold.”

Despite these problems, it would seem that CHS was correct in their assessment that the issue wouldn’t “have a material adverse effect on its business or financial results.”

The company carries liability insurance against attacks of this nature. By most accounts, assuming that the Health and Human Services (HHS) department threw the book at them, CHS would only see a $6 million dollar fine for HIPAA violations. After that, they’ll have to deal with state-level regulatory issues and civil cases.

When it comes to the fines however, it’s hard to tell if a lack of patching and vulnerability management can be called “willful neglect” (either corrected or uncorrected). While it seems cut and dry, medical organizations typically spend on IT only after money needed for patient care has been allocated.

It becomes a case where the choice is to fix VPNs and endpoints, or purchase a new clinical system. One could impact lives; the other helps you check a box.

Either way, the state of security in the medical industry is in serious need of an overhaul, and the CHS breach is a perfect case study.